EventID from WinEvtLogs?

Forum for the RSyslog Windows Agent. Here you can ask all questions regarding installation, configuration or occuring problems.

Moderator: rgerhards

Google Ads


EventID from WinEvtLogs?

Postby cmk » Thu Sep 24, 2015 6:09 pm

Hi,

I've been playing around with the Windows agent for a day or so, and it seem like the only way to get the agent to transmit the EventID's from the WinEvtLogs is to select the XML format? The "Predefined format" does seem to drop this information - regardless of which options (checkboxes) I select, correct?

However, the XML format is rather bloated, and I'm not sure we'd like to use it, if avoidable.

Another thing that would be sweet to have a checkbox for, is to skip the 1kB+ piece of descriptive text that come as part of Logon Events, i.e.;

"Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."

Probably exists similar in other events, but on a domain controller, this event occurs quite often.

As the documentation is a bit sketchy on the configuration options, and since I've not been working with this agent for a very long time, any pointers to configuration examples and the resulting output would be highly appreciated.

Thanks,

/kristian
cmk
New
 
Posts: 6
Joined: Wed Sep 23, 2015 5:53 pm

Re: EventID from WinEvtLogs?

Postby cmk » Mon Sep 28, 2015 1:14 pm

Ok, so I managed to get the eventID and some other parameters out by using the %id% and other stuff. Still the question remains, will it be possible to drop the informational texts sometimes seen in Windows events?

BR,

Kristian
cmk
New
 
Posts: 6
Joined: Wed Sep 23, 2015 5:53 pm

Re: EventID from WinEvtLogs?

Postby friedl » Mon Sep 28, 2015 2:31 pm

Hi,

if you are only processing the logon events specifically, it still will be a little complicated.

You need:
1) At least two rules. One for the Events without the informational text and one rule for those with the text.

2) In the rule for "normal" Events, filter for the Event ID "AND NOT" for specific parts of the informational text. In the other rule the filter should be for the Event ID "AND" part of the informational text. That should ensure proper separation of Events.

3) Each rule must have an action as you have it now, but with different format. The "normal" Events can be processed as you do now (if the format is satisfactory). The Events with informational text need to strip that text. That can be achieved with property options. In this case most likely the ToPos filter will be sufficient. E.g. %msg::/This event is generated/%
That way, everything from before the "search text" will be used and everything starting with the search text gets discarded. This is also the reason why two rules need to be made to separate Events, else you will receive error messages.

More details are available in the manual at "Accessing Properties": http://www.mwagent.com/help/manual/file ... erties.htm
friedl
Adiscon Support
 
Posts: 67
Joined: Wed Sep 13, 2006 2:31 pm

Re: EventID from WinEvtLogs?

Postby cmk » Tue Sep 29, 2015 8:58 am

thanks, will have to look into that then, but i guess that these starting strings can be quite varied... I had hoped that there was a magic checkbox to remove all but the good stuff, but perhaps Microsoft has not made any clear structural distinction between 'real' payload and informational text.

/cmk
cmk
New
 
Posts: 6
Joined: Wed Sep 23, 2015 5:53 pm

Re: EventID from WinEvtLogs?

Postby alorbach » Tue Sep 29, 2015 3:01 pm

We have a good presets which contain most of the important informations, kindly use the "Replace With->Adiscon EventLog Format" Menu after clicking the INSERT button next to the message format. It will generate a this format:
Code: Select all
%id%,%user%,%sourceproc%,%NTEventLogType%,%severity%,%category%,%msg%%$CRLF%

By the way this is the required format for Adiscon Loganalyzer.

Then modify the format to this in order to remove control characters and limit the maximum size of the message to 1024 bytes:
Code: Select all
%id%,%user%,%sourceproc%,%NTEventLogType%,%severity%,%category%,%msg:1:1024:spacecc,compressspace%%$CRLF%


And you are right, as this is all just plain text without any predefined structure, it is difficult to say what is important and what is not.

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: EventID from WinEvtLogs?

Postby cmk » Tue Sep 29, 2015 3:39 pm

Thanks, will try it out now.

Would that mean that this is the "Adiscon Event Reporter" format?

We are not using any particular backend receiver other than rsyslog on linux. So now we are building a sort-of vendor-independent collection and storage layer. Once we're happy with that, we will aim for routing different types of logs into varying real-time analysis tools and/or giving access to the raw log storage for more batch-oriented tools.

/cmk
cmk
New
 
Posts: 6
Joined: Wed Sep 23, 2015 5:53 pm

Google Ads



Return to Windows Agent

Who is online

Users browsing this forum: No registered users and 0 guests

cron